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(57) Abstract 

This public-key cryptosystem endocing technique uses 
based on polynomial algebra and recuction modulo two n 
decoding technique uses an unmixing system whose validity depends on 
elementary probability theory. A method for encoding and decoding a digital 
message comprises the steps: selecting ideais p and q of a ring R (305); 
generating elements f and g of the ring R (325), and generating an element 
F sub q which is an inverse of f (mod q), and generating F sub p which is an 
inverse of f (mod p) (340); producing a public key that includes h (350), where 
h is congruent, mod q, to a product that can be derived using g and F sub q; 
producing a private key from which f and F sub p can be derived; producing an 
encoded message by encoding the message using the public key and a random 
element; and producing a decoded message by decoding the encoded message 
using the private key. 
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PUBLIC KEY CRYPTOSYSTEM METHOD AND APPARATUS 
RELATED APPLICATION 

This application claims priority from U.S. Provisional 
Patent Application Number 60/024,133, filed August 19, 1996, 
and said Provisional Patent Application is incorporated herein 
by reference. 

FIELD OF THE INVENTION 

This invention relates to encoding and decoding of 
information and, more particularly, to a public key 
cryptosystem for encryption and decryption of digital messages 
by processor systems . 

BACKGROUND OF THE INVENTION 

Secure exchange of data between two parties, for example, 
between two computers, requires encryption. There are two 
general methods of encryption in use today, private key 
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encryption and public key encryption. In private key 
encryption, the two parties privately exchange the keys to be 
used for encoding and decoding. A widely used example of a 
private key cryptosystem is DES, the Data Encryption Standard. 
Such systems can be very fast and very secure, but they suffer 
the disadvantage that the two parties must exchange their keys 
privately. 

A public key cryptosystem is one in which each party can 
publish their encoding process without compromising the 
security of the decoding process. The encoding process is 
popularly called a trap-door function. Public key 
cryptosystems, although generally slower than private key 
cryptosystems, are used for transmitting small amounts of 
data, such as credit card numbers, and also to transmit a 
private key which is then used for private key encoding. 

Heretofore a variety of trap-door functions have been 
proposed and implemented for public key cryptosystems. 

One type of trap-door function which has been used to 
create public key cryptosystems involves exponentiation in a 
group; that is, taking an element of a group and repeatedly 
multiplying the element by itself using the group operation. 
The group most often chosen is the multiplicative group modulo 
pq for large prime numbers p and q, although other groups such 
as elliptic curves, abelian varieties, and even non- 
commutative matrix groups, have been described. However, this 
type of trap-door function requires large prime numbers, on 
the order of 100 digits each, making key creation cumbersome; 
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and the exponentiation process used for encoding and decoding 
is computationally intensive, requiring many multiplications 
of hundred digit numbers and on the order of N 3 operations to 
encode or decode a message consisting of N bits. 

A second type of trap-door function which has been used 
to create public key cryptosystems is based on the difficulty 
of determining which numbers are squares in a group, usually 
the multiplicative group modulo pq for large primes p and q. 
Just as in the first type, key creation is cumbersome and 
encoding and decoding are computationally intensive, requiring 
on the order of N 3 operations to encode or decode a message 
consisting of N bits. 

A third type of trap-door function involves the discrete 
logarithm problem in a group, generally the multiplicative 
group or an elliptic curve modulo a large prime p. Again, key 
creation is cumbersome, since the prime p needs at least 150 
digits and p - 1 must have a large prime factor; and such 
systems use exponentiation, so again require on the order of N 3 
operations to encode or decode a message consisting of N bits. 

A fourth type of trap-door function which has been used 
to create public key cryptosystems is based on the knapsack, 
or subset sum, problem. These functions use a semigroup, 
normally the semigroup of positive integers under addition. 
Many public key cryptosystems of this type have been broken 
using lattice reduction techniques, so they are no longer 
considered secure systems. 

A fifth type of trap-door function which has been used to 
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create public key cryptosystems is based on error correcting 
codes, especially Goppa codes. These cryptosystems use linear 
algebra over a finite field, generally the field with two 
elements. There are linear algebra attacks on these 
cryptosystems, so the key for a secure cryptosystem is a large 
rectangular matrix, on the order of 400,000 bits. This is too 
large for most applications. 

A sixth type of trap-door function which has been used to 
create public key cryptosystems is based on the difficulty of 
finding extremely short basis vectors in a lattice of large 
dimension N. The keys for such a system have length on the 
order of N 2 bits, which is too large for many applications. In 
addition, these lattice reduction public key cryptosystems are 
very new, so their security has not yet been fully analyzed. 

Most users, therefore, would find it desirable to have a 
public key cryptosystem which combines relatively short, 
easily created keys with relatively high speed encoding and 
decoding processes. 

It is among the objects of the invention to provide a 
public key encryption system for which keys are relatively 
short and easily created and for which the encoding and 
decoding processes can be performed rapidly. It is also among 
the objects hereof to provide a public key encryption system 
which has relatively low memory requirements and which depends 
on a variety of parameters that permit substantial flexibility 
in balancing security level, key length, encoding and decoding 
speed, memory requirements, and bandwidth. 
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SUMMARY OF THE INVENTION 

The invention allows keys to be chosen essentially at 
random from a large set of vectors, with key lengths 
comparable to the key lengths in other common public key 
cryptosystems, and features an appropriate (e.g. ~ 2 S0 for 
current circumstances) security level, and provides encoding 
and decoding processes which are between one and two orders of 
magnitude faster than the most widely used public key 
cryptosystem, namely the exponentiation cryptosystem 
referenced above. 

The encoding technique of an embodiment of the public key 
cryptosystem hereof uses a mixing system based on polynomial 
algebra and reduction modulo two numbers, p and q, while the 
decoding technique uses an unmixing system whose validity 
depends on elementary probability theory. The security of the 
public key cryptosystem hereof comes from the interaction of 
the polynomial mixing system with the independence of 
reduction modulo p and q. Security also relies on the 
experimentally observed fact that for most lattices, it is 
very difficult to find the shortest vector if there are a 
large number of vectors which are only moderately longer than 
the shortest vector. 

An embodiment of the invention is in the form of a method 
for encoding and decoding a digital message m, comprising the 
following steps: selecting ideals p and q of a ring re- 
generating elements f and g of the ring R, and generating 
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element F q which is an inverse of f (mod q) , and generating 
element F p which is an inverse of f (mod p) ; producing a public 
key that includes h, where h is congruent, mod q, to a product 
that can be derived using g and F q ; producing a private key 
from which f and F p can be derived; producing an encoded 
message e by encoding the message m using the public key and a 
random element a; and producing a decoded message by decoding 
the encoded message e using the private key. 

Further features and advantages of the invention will 
become more readily apparent from the following detailed 
description when taken in conjunction with the accompanying 
drawings . 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of a system that can be used 
in practicing embodiments of the invention. 

Figure 2 is a flow diagram of a public key encryption 
system which, when taken with the subsidiary flow diagrams 
referred to therein, can be used in implementing embodiments 
of the invention. 

Figure 3 is a flow diagram of a routine, in accordance 
with an embodiment of the invention, for generating public and 
private keys . 

Figure 4 is a flow diagram in accordance with an 
embodiment of the invention, for encoding a message using a 
public key. 

Figure 5 is a flow diagram in accordance with an 
embodiment of the invention, for decoding an encoded message 
using a private key. 

Figure 6 is a flow diagram of a routine, in accordance 
with another embodiment of the invention, for generating 
public and private keys. 

Figure 7 is a flow diagram in accordance with another 
embodiment of the invention, for encoding a message using a 
public key. 

Figure 8 is a flow diagram in accordance with another 
embodiment of the invention, for decoding an encoded message 
using a private key. 
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DETAILED DESCRIPTION 



Figure 1 is a block diagram of a system that can be used 
in practicing embodiments of the invention. Two processor- 
based subsystems 105 and 155 are shown as being in 
communication over an insecure channel 50, which may be, for 
example, any .wired or wireless communication channel such as a 
telephone or internet communication channel . The subsystem 
105 includes processor 110 and the subsystem 155 includes 
processor 160. When programmed in the manner to be described, 
the processors 110 and 160 and their associated circuits can 
be used to implement an embodiment of the invention and to 
practice an embodiment of the method of the invention. The 
processors 110 and 160 may each be any suitable processor, for 
example an electronic digital processor or microprocessor. It 
will be understood that any general purpose or special purpose 
processor, or other machine or circuitry that can perform the 
functions described herein, electronically, optically, or by 
other means, can be utilized. The processors may be, for 
example, Intel Pentium processors. The subsystem 105 will 
typically include memories 123, clock and timing circuitry 
121, input/output functions 118 and monitor 12 5, which may all 
be of conventional types. Inputs can include a keyboard input 
as represented at 103. Communication is via transceiver 135, 
which may comprise a modem or any suitable device for 
communicating signals. 

The subsystem 155 in this illustrative embodiment can 



SUBSTITUTE SHEET (RULE 26) 



WO 98/08323 



PCT/US97/15826 



9 

have a similar configuration to that of subsystem 105. The 
processor 160 has associated input/output circuitry 164, 
memories 168, clock and timing circuitry 173, and a monitor 
176. Inputs include a keyboard 155. Communication of 
subsystem 155 with the outside world is via transceiver 162 
which, again, may comprise a modem or any suitable device for 
communicating signals. 

The encoding technique of an embodiment of the public key 
cryptosystem hereof uses a mixing system based on polynomial 
algebra and reduction modulo two numbers, p and q, while the 
decoding technique uses an unmixing system whose validity 
depends on elementary probability theory. [It will be 
understood that the polynomial is a convenient representation 
of ordered coefficients (a polynomial of degree N-l having N 
ordered coefficients, some of which may be zero) , and that the 
processor will perform designated operations on coefficients.] 
The security of the public key cryptosystem hereof comes from 
the interaction of the polynomial mixing system with the 
independence of reduction modulo p and q. Security also 
relies on the experimentally observed fact that for most 
lattices, it is very difficult to find the shortest vector if 
there are a large number 

of vectors which are only moderately longer than the shortest vector. 

The cryptosystem hereof fits into the general framework 
of a probabilistic cryptosystem as described in M. Blum et 
al., "An Efficient Probabilistic Public-Key Encryption Scheme 
Which Hides All Partial Information", Advances in Cryptology: 
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Proceedings of CRYPTO 84, Lecture Notes in Computer Science, 
Vol. 196, Springer- Verlag, 1985, pp. 289-299; and S. 
Goldwasser et al . , "Probabilistic Encryption", J. Computer and 
Systems Science 28 (1984) , 270-299. This means that 
encryption includes a random element, so each message has many 
possible encryptions. Encoding and decoding and key creation 
are relatively fast and easy using the technique hereof, in 
which it takes 0(N 2 ) operations to encode or decode a message 
block of length N, making it considerably faster than the 0(N 3 ) 
operations required by RSA. Key lengths are 0 (N) , which 
compares well with the 0(N 2 ) key lengths required by other 
"fast" public keys systems such as those described in R.J. 
McEliece, "A Public-Key Cryptosystem Based On Algebraic Coding 
Theory", JPL Pasadena, DSN Progress Reports 42-44 (1978), 114- 
116 and 0. Goldreich et al . "Public-Key Crypt osys terns From 
Lattice Reduction Problems", MIT - Laboratory for Computer 
Science preprint, November 1996. 

An embodiment of the cryptosystem hereof depends on four 
integer parameters (N,K,p,q) and three sets 2 q , 2 0 , i£ n of 
polynomials of degree N-l with integer coefficients. This 
embodiment works in the ring R = Z[X3/(X N -1) . An element F e R 
will be written as a polynomial or a vector, 

F = j^FtX"-* = [F lt F 2 , . . . ,F N ) . 
The star "*" denotes multiplication in R. This star 
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multiplication is given explicitly as a cyclic convolution 
product, F * G = H with 



When a multiplication modulo (say) q is performed, the 
coefficients are reduced modulo q. Further reference can be 
made to Appendix 1 . 

The following is an example of an embodiment in 
accordance with the invention of a public key cryptosystem. 
Very small numbers are used for ease of illustration, so the 
example would not be cryptographically secure. In conjunction 
with the example there is described, as material in double 
brackets (IJ), operating parameters that would provide a 
practical cryptographically secure cryptosystem under current 
conditions. Further discussion of the operating parameters to 
achieve a particular level of security is set forth in 
Appendix 1, which also describes the degree of immunity of an 
embodiment of the cryptosystem hereof to various types of 
attack. 

The objects used in an embodiment hereof are polynomials 
of degree N-l, 



where the coefficients a,,..., a N are integers. In the "star" 
multiplication hereof, x N is replaced by 1, and x"* 1 is replaced 
by x, and x N " 2 is replaced by x 2 , and so on. [A polynomial may 




+ a 2 x"" 2 + - + a N1 x + a N , 



SUBSTITUTE SHEET (RULE 26) 



WO 98/08323 



PCT/US97/15826 



12 

also be represented by an N- tuple of numbers 
[a lf a 2 , . . . ,a„] . 

In such case the star product is also known as the convolution 
product. For large values of N, it may be faster to compute 
convolution products using the method of Fast Fourier 
Transforms, which take on the order of NlogN steps instead of 
N 2 steps.] For example, taking N=5, and two exemplary 
polynomials, the star multiplication gives 
(x 4 + 2x 2 -3x+2) * (2x 4 +3x 3 +5x-l) 

=2x l, +3x 7 +4x 6, +5x s -6x 4 + 16x 3 -17x 2 + 13x-2 
=2x 3 +3x 2 +4x+5x-6x 4 + 16x J - 17x 2 +13x-2 
= -6x 4 +18x 3 -14x 2 + 17x+3 

Ia secure system may use, for example N = 167 or N = 263 . J 
[This embodiment uses the ring of polynomials with integer 
coefficients modulo the ideal consisting of all multiples of x H 
-1. More generally, one could use polynomials modulo a 
different ideal; and even more generally, one could use some 
other ring R. For further information on rings and ideals, 
reference can be made, for example, to Topics in Algebra by 
I.N. Herstein.] 

Another aspect of the present embodiment involves 
reducing the coefficients of a polynomial modulo an integer, 
such as the ideal q. This essentially means dividing each 
coefficient by q and replacing the coefficient with its 
remainder. For example, if q - 128 and if some coefficient is 
2377, then that coefficient would be replaced with 73, because 
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2377 divided by 128 equals 18, with a remainder of 73. 
However, it is easier to use "centered remainders." This 
means that if the remainder is between 0 and q/2, it is left 
alone, but if it is between q/2 and q, then q is subtracted 
from it. Accordingly, using centered reminders for q = 12 8, 
2377 would be replaced by -55, since -55 = 73 - 128. 

To indicate that this remainder process is being 
performed, a triple equal sign (^) is used, along with the 
designation "mod q. " The following is an example which 
combines star multiplication of two polynomials with reduction 
modulo 5. The answer uses centered remainders. 

(x , +2x 2 -3x+2)*(2x 4 + 3x 3 +5x-l) = -6x 4 +18x 3 -14x 2 + 17x+3 

= -x 4 -2x 3 +x 2 +2x-2 (mod 5) . 

In creating a public key cryptosystem in accordance with 
an embodiment hereof (and with the previously indicated small 
numbers for ease of illustration) , a first step is to choose 
integer parameters N, K, p, and q. Take, for example 

N = 5, K = 1, p = 3, q = 128. 
I A secure system may use, for example, N=167, K=6, p=3, q =2 16 = 
65536.1 Preferably, p and q will be relatively prime,- that 
is, they will have no common factors greater than l. a 
discussion of the desirability of having the ideals p and q be 
relatively prime is set forth in Appendix 1. 
Some sets of polynomials are chosen, as follows: 
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i£ g = {polynomials whose coefficients are -2's, -l's, 0's, 
1 ' s , and 2's} 

2 B = {polynomials with two -l's, two l's, and one 0 as 
coefficients} 

<£ m = {polynomials whose coefficients are -l's, 0's, and 

l's) 

I A secure system may use, for example 

2 g = {polynomials whose coefficients lie between -177 and 
177} 

i£ B = {polynomials whose coefficients are forty l's, forty 

-l's, the rest 0's} 
a„ = {polynomials whose coefficients lie between -3 and 3} 
(Note: The polynomials have degree N-l, so for the secure 
parameters of the example, the polynomials have degree 166. 
Further, the actual message m being encoded consists of the 
remainders when the coefficients of m are divided by p, where 
in this example p = 3 . ) fl 

The set 2 g is used to create the key for the cryptosystem, 
the set 2^ is used for encoding messages, and the set $ m is the 
set of possible messages. For example, 

2x 4 -x 3 +x-2 is in the set 2 g , and 
x 4 -x 3 -x 2 +l is in the set i£ e 
To implement the key creation of this example, the key 
creator, call him Dan, chooses two polynomials f and g from 
the set i£ g . In this simplified example K = 1, so there is one 
polynomial g. Suppose that Dan chooses 
f = x 4 -x 3 +2x 2 -2x+l, 
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g = x 4 -x 3 +x 2 -2x+2 . 
If A secure system may use, for example, K + 1 polynomials f , 
g lf . . . ,g K e <£ g with K = 6. 1 

A requirement hereof is that f must have an inverse 
modulo q and an inverse modulo p. What this means is that 
there must be polynomials F q and F p so that 

F q * f = l (mod q) and F p * f = l (mod p) . 
The well known Euclidean algorithm can be used to compute F q 
and F p . Reference can be made, for example, to Appendix II 
hereof. (Some f's may not have inverses, in which case Dan 
would have to go back and choose another f.) For the above 
example f, we have 

F q = 103x 4 + 29x 3 + 116x 2 + 79x + 58, 

F p = 2x 4 + 2x. 

To check that this is the right F q for f , one can multiply 
F q * f = (103x 4 +29x 3 + 116x 2 +79x+58) * (x 4 -x 3 + 2x 2 -2x+l ) 
= 256x 4 + 256x - 127 

■ 1 (mod 128) . 

Similarly, to check that F p is correct, one can multiply 
F p * f = (2x 4 + 2x)* (x 4 - x 3 + 2x 2 - 2x + 1) 
= 6x 3 - 6x 2 + 6x - 2 

■ 1 (mod 3 } . 

Now, the key creator Dan is ready to create his public 
key, which is the polynomial h given by 

h = F q * g (mod q) . 
I A secure system may use, for example, K polynomials h 1# ...,h, 
given by 
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h t = F q * g ± (mod q) with i = 1,2, ... ,K, 
with K = 6 . | 

Continuing with the example, Dan would compute 

F q * g = (103x 4 +29x 3 + 116x 2 +79x+58) * (x 4 -x 3 +x 2 -2x+2) 
= 243x 4 - 50x 3 + 58x 2 + 232x - 98 
■ -13x 4 - 50x 3 + 58x 2 - 24x + 30 (mod 128) . 
Then Dan' s public key is the polynomial 

h = - 13x 4 - 50x 3 + 58x 2 -24x + 30. 
Dan's private key is the pair of polynomials (f, F p ) . In 
principle, the polynomial f itself can function as the private 
key, because F p can always be computed from f; but in practice 
Dan would probably want to precompute and save F p . 

In the next part of the example, encoding with the public 
key is described. Suppose the encoder, call her Cathy, wants 
to send Dan a message using his public key h. She chooses a 
message from the set of possible message S£ m . For example, 
suppose that she wants to send the message 

m = x 4 - x 3 + x 2 + 1 . 
To encode this message, she chooses at random a polynomial <z 
from the set 2 e . For example, say she selects 

a = - x 4 + x 3 - x 2 + 1 . 
She uses this randomly chosen polynomial 0, Dan's public key h 
(as well as p and q, which are part of the public key) , and 
her plaintext message m to create the encoded message e using 
the formula 

e = po * h + m (mod q) . 
I A secure system may use K public keys h ir . . . ,h K , with K = 6 
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for the secure example. To encode a message, Cathy can 
randomly choose K polynomials o 1# . . . ,a K from the set 2 e and 
then create the encoded message e by computing e s 
P0 1 *h,+pa a *h a + . . .+pe» x *h K +m (mod q) . | An alternative would 

be to let h equal P F q *g (mod q) , and then the message can be 
encoded using the formula e = 0 *h+m (mod q) . For the present 
example, Cathy computes 

po * h + m = 3 (-x 4 +x 3 -x 2 +l) * (-13x 4 -50x 3 +58x 2 -24x+30) 

+ (x 4 - x 3 + x 2 + 1) 
= -374x 4 + 50x 3 + 196x 2 - 357x + 487 
■ 10x 4 + 50x 3 - 60x 2 + 27x - 25 (mod 128) . 
So Cathy's encoded message is the polynomial 

e = 10x 4 + 50x 3 - 60x 2 + 27x - 25, 
and she sends this encoded message to Dan. 

In the next part of the example, decoding using the 
private key is described. In order to decode the message e, 
Dan first uses his private key f to compute the polynomial 

a ss f * e (mod q) . 
For the example being used, he computes 

f * e = (x 4 -x 3 +2x 2 -2x+l) * (10x 4 +50x 3 -60x 2 +27x-25) 
= -262x 4 + 259x 3 - 124x 2 - 13x + 142 
= -6x 4 + 3x 3 + 4x 2 - 13x + 14 (mod 128) , 
so the polynomial a is 

a = -6x 4 + 3x 3 + 4x 2 - 13x + 14. 
Next, Dan uses F p , the other half of his private key, to 
compute 

F p * a (mod p) , 
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and the result will be the decoded message. Thus for the 
present example, Dan computes 

F p * a = (2x 4 + 2x) * (-6x 4 + 3x 3 + 4x 2 - 13x + 14) 
= 34x 4 - 4x 3 - 20x 2 + 36x - 38 
a x 4 - x 3 + x 2 + 1 (mod 3) . 
Reference can be made to Appendix I for further description of 
why the decoding works. 

In a further embodiment of the invention the ring is a 
ring of matrices. For example, one can use the ring 

R = (the ring of M x M matrices with integer 
coefficients) . 
An element of R looks like 

a n S 12 - a iw 

S 2X a 22 a ZM 

a *n a M2 " a m. 

where the coefficients a Xi are integers. Addition and 
multiplication are as usual for matrices, and it will be 
understood that the processor can treat the matrix members as 
numbers stored and operated on in any convenient manner. Let 

N = M 2 , so a matrix in R has N coefficients. Relatively 
prime integers p and q are chosen. 

In this case, to create a private key, Dan chooses K + 2 
matrices from R. These matrices can be called 
f ,g,w 1 ,w 2 , . . . ,w K . 

These matrices should have the property that f ,g, Wj , . . . , w K have 
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fairly small coefficients, and every w t satisfies 
Wj = 0 (mod p) . 

(In other words, every coefficient of every w t is a multiple of 
p.) To create his key, Dan needs to find inverses for f and g 
modulo p and q. Thus he finds matrices F p ,F q ,G p ,G q in R 
satisfying 

fF p = I (mod p) 
fF q = I (mod q) 
gG p = I (mod p) 
gG q m I (mod q) 

where I is the M x M identity matrix. In general, this is 
quite easy to do; and if by some chance one of the inverses 
fail to exist, Dan just chooses a new f or g. 

Dan's public key is a list of K matrices (h w h 2 h K ) 

determined by the condition 

h t = F q w i G q ( ra o<* <2> for i = 1,2, ... ,K. 
(Note that the Wi's are congruent to zero modulo p.) His 
private key is the four matrices (f,g,F p ,G p ). In principle, f 
and g alone can be used as the private key, but in practice it 
is more efficient to precompute and store F p , G p . 

The encoding for this matrix example is described next . 
Suppose that Cathy wants to encode a message m. The message m 
is a matrix with coefficients modulo p. In order to encode 
her message, she chooses at random some integers a 1( ...,0 K 
satisfying some condition; for example, they might be chosen 
to be non-negative integers whose sum a 1 +...+0 K equals a 
predetermined value d. (Note that the s are ordinary 
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integers, they are not matrices. Equivalently , they can be 
thought of as multiples of the identity matrix, so they will 
commute with every element of the ring R.) 

Having chosen her aj's, Cathy creates her encoded message 
e by the rule 

e a Zjh^ + o 2 h 2 +. . .+ o K h K + m (mod q) . 

The decoding for this matrix example is described next. 
We now assume that Dan has received the encoded message e and 
wishes to decipher it . He begins by computing the matrix a 
satisfying 

a = feg (mod q) . 
As usual, Dan chooses the coefficients of a in some restricted 
range, such as from -q/2 to q/2 (i.e., zero-centered 
coefficients), or from 0 to q-l. 

If the parameters have been chosen appropriately, then 
the matrix a will be exactly equal to the sum 
a = ejjWi + 0 2 w 2 + . . . 0 K w K + f mg . 
(This will always be true modulo q, but a key point is that if 
q is large enough, then it will be an exact equality, not 
merely modulo q.) Dan's next step is to reduce a modulo p, say 
b = a (mod p) . 

Since all of the coefficients of the Wj's are divisible by p, 
this means that 

b = fmg (mod p) . 

Finally Dan computes 

FpbGp (mod p) 
to recover the original message m. 
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The described M x M matrix embodiment has excellent 
operating time. Encoding requires only additions and takes on 
the order of M 2 operations. Decoding requires two matrix 
multiplications of M x M matrices, so takes on the order of M 3 
operations. The message length is on the order of M 2 , so if N 
denotes the natural message length (i.e., N = M 2 ) , then the 
matrix embodiment requires O (N) steps to encode and 0(N 3/2 ) 
steps to decode. For comparison, the polynomial embodiment 
requires 0(N 2 ) steps to encode and 0(N 2 ) steps to decode, and 
the RSA public key system requires 0(N 3 ) steps to encode and 
0(N 3 ) steps to decode. 

A preliminary analysis suggests that the only natural 
lattice attacks on the matrix embodiment require using 
lattices whose dimension is N 2 +N (or larger) . This would be a 
significant security improvement over the 2N dimensional 
lattices used to attack the polynomial embodiment. 

In order to avoid brute-force (or potential meet-in-the- 
middle) attacks, it is necessary that the sample space for the 
0 i ' s be fairly large, say between 2 100 and 2 200 . However, this 
is not difficult to achieve. For example, if the 0j's are 
chosen non-negative with sum d, then the sample space has 



elements. So if one takes K = 15 and d = 1024, for example, 
one gets a sample space with 2 103 - 8 elements. 

The public key size is KM 2 log 2 (q) bits, and the private 



(d+K-l) ! 
d! (K-l) ! 
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key size is 2M 2 log 2 {pq) bits. Both of these are of a practical 
size. 

Figure 2 illustrates a basic procedure that can be 
utilized with a public key encryption system, and refers to 
routines illustrated by other referenced flow diagrams which 
describe features in accordance with an embodiment of the 
invention. The block 210 represents the generating of the 
public key and private key information, and the "publishing" 
of the public key. The routine of an embodiment hereof is 
described in conjunction with the flow diagram of Figure 3. 
In the present example, it can be assumed that this operation 
is performed at the processor system 105. The public key 
information can be published; that is, made available to any 
member of the public or to any desired group from whom the 
private key holder desires to receive encrypted messages. 
Typically, although not necessarily, the public key may be 
made available at a central public key library facility or 
website where a directory of public key holders and their 
public keys are maintained. In the present example, it is 
assumed that the user of the processor system 155 wants to 
send a confidential message to the user of processor system 
105, and that the user of processor system 155 knows the 
published public key of the user of processor system 150. 

The block 22 0 represents the routine that can be used by 
the message sender (that is, in this example, the user of 
processor system 155) to encode the plaintext message using 
the public key of the intended message recipient. This 



SUBSTITUTE SHEET (RULE 26) 



WO 98/08323 



PCT/US97/15826 



23 

routine, in accordance with an embodiment of the invention, is 
described in conjunction with the flow diagram of Figure 4. 
The encrypted message is then transmitted over the channel 50 
(Figure 1) . 

The block 260 of Figure 2 represents the routine for the 
decoding of the encrypted message to recover the plaintext 
message. In the present example, this function is performed 
by the user of the processor system 105, who employs the 
private key information. The decoding routine, for an 
embodiment of the invention, is described in conjunction with 
the flow diagram of Figure 5. 

Referring now to Figure 3, there is shown a flow diagram 
of the routine, as represented generally by the block 210 of 
Figure 2, for generating the public and private keys. The 
routine can be utilized, in the present example, for 
programming the processor 110 of the processor system 105. 
The block 305 represents the choosing of integer parameters N, 
p, and g. As first described above, N determines the degree 
of the polynomials f and g t to be generated, and p and q are, 
respectively, the two ideals used in producing the star 
products. The block 315 represents the selection of K, which 
is the number of polynomials g, to be used. In the simplified 
example above, K was 1, and it was noted that a particular 
exemplary relatively secure system could use K = 6. Next, the 
block 325 represents the choosing of random polynomials f, g w 
g 2 ...g K . The coefficients may, for example, be chosen using a 
random number generator, which can be implemented, in known 
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fashion, using available hardware or software. In the present 
embodiment, each of the processor systems is provided with a 
random number generator, designated by the blocks 13 0 and 185 
respectively, in Figure 1. 

The block 340 represents application of the Euclidean 
algorithm to determine the inverses, F q and F p , in the manner 
described above, for the previously selected polynomial f, if 
such inverses exist. If F p , F q do not exist, the block 325 is 
re-entered, and a new polynomial f is chosen. The loop 330 is 
continued until polynomials are chosen for which the defined 
inverses can be computed. [The probability of the inverses 
existing for a given polynomial is relatively high, so a 
relatively small number of traversals through the loop 330 
will generally be expected before the condition is met.] The 
block 350 is then entered, this block representing the 
computation of the public key, h in accordance with 
h = F q *g (mod q) 

as first described above. [For K>1, there will be public key 
components h 4 for i = 1,2,...,K.] As represented by the block 
360, the private key is retained as the polynomials f, F p , and 
the public key can then be published, as represented by the 
block 370. 

Figure 4 is a flow diagram, represented generally by the 
block 24 0 of Figure 2 , of a routine for programming a 
processor, such as the processor 160 of the processor system 
155 (Figure 1) to implement encoding of a plaintext message m. 
The message to be encoded is input (block 420) and a random 
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polynomial <s is chosen (block 430} . [If K>1, then K random 
polynomials e> lt e> 2 , . . . , b k are chosen.] The polynomial can be 
from the set 2 a , as described above, and the random 
coefficients can be selected by any hardware or software 
means, for example the random number generator 185. The 
encoded message, e, can then be computed (block 450) as 
e = pe>*h + m (mod q) . 

As first noted above, for K greater than 1, the encoded 
message would bee, pa^h, + P 0 3 *h 2 + .... + pa k *h k + m (mod q) . 
The encoded message can be transmitted (block 460) over 
channel 50 to the keyholder who, in the present example, is 
the user of the processor system 105 . 

Figure 5 is a flow diagram represented generally in 
Figure 2 by the block 260, of a routine in accordance with an 
embodiment of the invention for decoding the encrypted 
message. The block 530 represents the receiving of the 
encrypted message, e. The retained private key information, 
which includes the previously defined polynomials f and F , and 
the integers N, p, and q, are fetched (block 550). Next, the 
block 570 represents the computation of 

a = f *e (mod q) . 
The decoded message, designated here as m' , can then be 
computed (block 580) as 

m' s F p *a (mod p) . 
Figures 6, 7 and 8 are flow diagrams relating to the 
above-described matrix embodiment. Figure 6 is a flow diagram 
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of the routine, as represented generally by the block 210 of 
Figure 2, for generating the public and private keys. As 
above, the routine can be utilized, in the present example, 
for programming the processor 110 of the processor system 105. 
The block 605 represents the choosing of integer parameters N, 
p, and q, where N is the number of matrix coefficients, and p 
and q are relatively prime integers. The block 615 represents 
the selection of K, which determines the number of matrices. 
Next, the block 625 represents the choosing of random matrices 
f,g,w 1( w 2 ,...,w k , with the requirement that w 1 ,w 2 ,...,w K are all 
congruent to 0 modulo p. Again, the random number generator 
130 (Figure 1) can be used for this purpose. 

The block 64 0 represents determination of the previously 
defined matrices F p , F q , G p and G q . If these matrices do not 
exist, the block 625 is re-entered, and new matrices f and g 
are chosen. The loop 630 is continued until matrices are 
chosen for which the defined inverses can be computed. The 
block 650 is then entered, this block representing the 
computation of the public key, a list of K matrices 
(h lf h 2 , . . . ,h K ) determined by the condition 

hi s FqWiGq (mod q) for i = 1,2,...,K. 
As represented by the block 660, the private key is retained 
as the matrices (f, g, F p , G p ) and the public key can then be 
published, as represented by the block 670. 

Figure 7 is a flow diagram, represented generally by the 
block 24 0 of Figure 2 , of a routine for programming a 
processor, such as the processor 160 of the processor system 
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155 (Figure 1) to implement encoding of a plaintext message m 
using the technique of the present matrix embodiment . The 
message to be encoded is input (block 720) and the random 
integers <a lt e 2 , . . . , e> K are chosen (block 730). The integers can 
be selected by the random number generator 185 (Figure 1) . 
The encoded message, e, can then be computed (block 750) as 

e m Cjhi + <z> 2 h 2 + . . . + o K h K + m (mod q) . 
The encoded message can be transmitted (block 760) over 
channel 50, to the keyholder which, in the present example, is 
the user of the processor system 105 . 

Figure 8 is a flow diagram represented generally in 
Figure 2 by the block 260, of a routine for decoding the 
encrypted message in accordance with the present matrix 
embodiment. The block 830 represents the receiving of the 
encrypted message, e. The retained private key information, 
which includes the previously defined F, g, F p and G p , and the 
integers N, p, and q, are fetched (block 850) . Then, the 
block 8 70 represents the computation of 

a s f eg (mod q) . 
Next, a is reduced modulo p to b (block 880) as 

b == a (mod p) . 
The decoded message is then computed (block 890) as 
m' m F p bGp (mod p) . 

The invention has been described with reference to 
particular preferred embodiments, but variations within the 
spirit and scope of the invention will occur to those skilled 
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in the art. For example, it will be understood that the 
public or private keys can be stored on any suitable media, 
for example a "smart card", which can be provided with a 
microprocessor capable of performing encoding and/or decoding, 
so that encrypted messages can be communicated to and/or from 
the smart card. 
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NTRU: A RING-BASED PUBLIC KEY CRYPTOSYSTEM 

Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman 

ABSTRACT. We describe NTRU, a new public key cryptosystem. NTRU 
features reasonably short, easily created keys, high speed, and low memory 
requirements. NTRU encoding and decoding uses a mixing system suggested 
by polynomial algebra combined with a clustering principle based on elemen- 
tary probability theory. The security of the NTRU cryptosystem comes from 
the interaction of the polynomial mixing system with the independence of 
reduction modulo two relatively prime integers p and q. 

Contents 

0. Introduction 

1. Description of the NTRU Algorithm 

2. Parameter Selection 

3. Security Analysis 

4. Implementation Considerations 

5. Moderate Security Parameters For NTRU 

6. Comparison With Other PKCS's 
Appendix A. An Elementary Lemma 



§0. Introduction 

There has been considerable interest in the creation of efficient and computationally 
inexpensive public key cryptosystems since Dime and Hellman [4] explained how such 
systems could be created using one-way functions. Currently, the most widely used pub- 
lic key system is RSA, which was created by Rivest, Shamir and Adelman in 1978 [10] 
and is based on the difficulty of factoring large numbers. Other systems include the 
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McEliece system [9] which relies on error correcting codes, and a recent system of Gol- 
dreich, Goldwasser. and Halevi [5] which is based on the difficulty of lattice reduction 
problems. 

In this paper we describe a new public key cryptosystem, which we call the NTRU 
system. The encoding procedure uses a mixing system based on polynomial algebra and 
reduction modulo two numbers p and q, while the decoding procedure uses an unmixing 
system whose validity depends on elementary probability theory. The security of the 
NTRU public key cryptosystem comes from the interaction of the polynomial mixing 
system with the independence of reduction modulo p and q. Security also relies on the 
(experimentally observed) fact that for most lattices, it is very difficult to find extremely 
short (as opposed to moderately short) vectors. 

We mention that the presentation in this paper differs from an earlier, widely circu- 
lated but unpublished, preprint [7] in two major ways. First, we have introduced a new 
parameter K which can be used to produce systems with better operating characteris- 
tics. Second, the analysis of lattice-based attacks has been expanded and clarified, based 
largely on the numerous comments received from Don Coppersmith, Johan Hastad, and 
Adi Shamir in person, via email, and in the recent article [3] . We would like to take this 
opportunity to thank them for their interest and their help. 

NTRU fits into the general framework of a probabilistic cryptosystem as described 
in [1] and [6]. This means that encryption includes a random element, so each message 
has many possible encryptions. Encoding and decoding with NTRU are extremely fast, 
and key creation is fast and easy. See Sections 4 and 5 for specifics, but we note here that 
NTRU takes 0(N 2 ) operations to encode or decode a message block of length N, making 
it considerably faster than the 0(N 3 ) operations required by RSA. Further, NTRU key 
It igths are O(N), which compares well with the 0(N 2 ) key lengths required by other 
"fast" public keys systems such as [9, 5]. 

§1. Description of the NTRU algorithm 

§1.1. Notation. An NTRU cryptosystem depends on four integer parameters (N, K, p, q) 
and three sets C g , -C d , C m of polynomials of degree N - 1 with integer coefficients. We 
work in the ring R = Z[X]/(X N — 1). An element F e Ft will be written as a polynomial 
or a vector, 

N 

J F = ^F i x w - i = (F 1 ,F 2l ... ,F N ]. 

i=l 

We write © to denote multiplication in R. This star multiplication is given explicitly as 
a cyclic convolution product, 

k-l N 

F®G - H with Hfc^FiGfc-i + Yl FiG r 

i=l J=fc t+jsfc (mod N) 

When we do a multiplication modulo (say) q, we mean to reduce the coefficients modulo q. 

Remark. In principle, computation of a product F®G requires N 2 multiplications. How- 
ever, for a typical product used by NTRU, one of F or G has small coefficients, so the 
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computation of F ® G is very fast. On the other hand, if N is taken to be large, then it 
might be faster to use Fast Fourier Transforms to compute products F® G in 0(N log N) 
operations. 

§1.2 Key Creation. To create an NTRU key, Dan randomly chooses K+ 1 polynomials 
/> 9i > ■ • ■ , 9k € £ g . The polynomial / must satisfy the additional requirement that it have 
inverses modulo q and modulo p. For suitable parameter choices, this will be true for most 
choices of /, and the actual computation of these inverses is easy using a modification of 
the Euclidean algorithm. We will denote these inverses by F q and F p , that is, 

F,©/ = l(modg) and F p ® f = 1 (mod p). (l) 
Dan next computes the quantities 

hi = F q ® 9i (modg), l<i<K. (2) 
Dan's public key is the list of polynomials 

{h lt h at ... t h K ). 

Dan's private key is the single polynomial /, although in practice he will also want to 
store F p . 

§1.3 Encoding. Suppose that Cathy (the encoder) wants to send a message to Dan (the 
decoder). She begins by selecting a message m from the set of plaintexts £ m . Next she 
randomly chooses K polynomials <f> x , . . . ,<j> K £ £4, and uses Dan's public key (hi,... ,h K ) 
to compute 

K 

e = ^2p<f} i ®h i + m (mod q). 
This is the encoded message which Cathy transmits to Dan. 

§1.4 Decoding. Suppose that Dan has received the message e from Cathy and wants 
to decode it using his private key /. To do this efficiently, Dan should have precomputed 
the polynomial F p described in Section 1.1. 
In order to decode e, Dan first computes 

a = / © e (mod q), 

where he chooses the coefficients of a in the interval from -q/2 to q/2. Now treating a 
as a polynomial with integer coefficients, Dan recovers the message by computing 
F p ®a (mod p). 

Remark. For appropriate parameter values, there is an extremely high probability that 
the decoding procedure will recover the original message. However, some parameter 
choices may cause occasional decoding failure, so one should probably include a few 
check bits in each message block. The usual cause of decoding failure will be that the 
message is improperly centered. In this case Dan will be able to recover the message by 
choosing the coefficients of a = f ® e (mod q) in a slightly different interval, for example 
from -q/2 + x to q/2 + x for some small (positive or negative) value of x. If no value 
of x works, then we say that we have gap failure and the message cannot be decoded as 
easily. For well-chosen parameter values, this will occur so rarely that it can be ignored 
in practice. 
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§1.5 Why Decoding Works. The polynomial a that Dan computes satisfies 
K 

a = f ® e = f ® p<j>i ®hi + f ®m (mod q) 

K 

= ® p< t >i ® F <i® 9i + f® m ( mod q ) from ( 2 )» 
1=1 

K 

= ^2p4>i®gi + f®m (mod q) from (1). 
Consider this last polynomial 

K 
i=i 

For appropriate parameter choices, we can ensure that (almost always) all of its coefficients 
lie between —q/2 and q/2, so that it doesn't change if its coefficients are reduced modulo q. 
This means that when Dan reduces the coefficients of / ® e modulo q into the interval 
from — q/2 to q/2, he recovers exactly the polynomial 

K 

a = J2p4>i®9i + f®rn in Z[X}/{X N - 1). 
»=i 

Reducing a modulo p then gives him the polynomial f ®m (mod p), and multiplication 
by F p retrieves the message m (mod p). 

§2 Parameter Selection 
§2.1 Notation and a norm estimate. We define the width of an element F € R to be 

I.FL, = max {FA - min {FA. 

As our notation suggests, this is a sort of L°° norm on R. Similarly, we define a centered 
L 2 norm on R by 

,N \ 1/2 , N 

s=l ' i=l 

(Equivalently, |F| 2 /-v/iV is the standard deviation of the coefficients of F.) 
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Proposition. For any e > 0 there are constants ci , c 2 > 0, depending on e. N and K, 
such that for randomly chosen polynomials Fi,... ) Fk,Gi,... , Gk G R, the probability 
is greater than 1 - e that they satisfy 



Of course, this proposition would be useless from a practical veiwpoint if the ratio 
c 2 /ci were very large for small e's. However, it turns out that even for moderately large 
values of N and K and very small values of e, the constants ci,c 2 are not at all extreme. 
We have verified this experimentally in a large number of situations and have an outline 
of a theoretical proof. 

§2.2 Sample spaces. As examples of typical sample spaces, we will take 

£9 — {9 £ R '■ 9 has coefficients between -(r - l)/2 and [r - l)/2 inclusive} 
C e = {4>(E R : 4> has d coefficients equal 1, d coefficients equal -1, the rest 0} 
L m = {m € R : m has coefficients between -(s — l)/2 and (s - l)/2 inclusive} 

Later we will see that there are various constraints which r, d, s must satisfy in order 
to achieve security. We also note that every <f> € £4, has L 2 norm |^| 2 = \/2d, while 
a verage element s g € C g and m € C m have L 2 norms \g\ 2 = y/N{r 2 - 1)/12 and |m| 2 = 
y/N(s 2 - 1)/12 respectively. To ease notation, we will write Lg.L^Lm for the average 
L 2 norm of elements of C g ,C^ Cm respectively. 

Although it is not strictly necessary, we will make the additional assumption that 
L m w pLj, This assumption will make it easier to analyze possible lattice attacks, as well 
as making such attacks less effective. As an example, suppose we take d « N/4. Then 
we would take 5 « \/6p. So the natural mod p information contained in m would have to 
be "thickened" by randomly adding and subtracting p to coefficients of m. 

§2.3 A decoding criterion. As described in §1.5, Dan will be able to decode the en- 
coded message m provided that |£ V$i ® 9i + / ® < q. We can use the inequality (3) 
of the above Proposition (with K + 1 in place of K and for a suitably small choice of e) 
to estimate 

® gi + f®m\ <c 2 I&I2 • M2 + I/I2 • H 2 

U=l '00 f= i 



So in order to decode (with probability 1 -e), Dan needs to choose parameters satisfying 
the decoding constraint 




(3) 



« aLgiKpL^ + L m ) 

~ C2pL g L lj> {K + 1) using the assumption L m « pLj, 



c 2 pL g L^(K + 1) < q. 



(4) 
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§3 Security Analysis 

§3.1 Meet-in-the-middle attacks. For simplicity (and to aid the attacker), we assume 
K = 1, so an encoded message looks like e = <f> ® h + m (mod q). Andrew Odlyzko has 
pointed out that there is a meet-in-the-middle attack which can be used against fa and 
we observe that a similar attack applies also to the private key /. Briefly, one splits / in 
half, say f = fi + f 2 , and then one matches /i ® e against -f 2 © e, looking for (/ a , / 2 ) so 
that the corresponding coefficients have approximately the same value. Hence in order 
to obtain a security level of (say) 2 80 f one must choose /, g, and <j> from sets containing 
around 2 160 elements. 

§3.2 Multiple transmission attacks. Again for simplicity we assume that K = 1. We 
observe that if Cathy sends a single message m several times using the same public key 
but different random fas, then the attacker Betty will be able to recover a large part of the 
message. Briefly, suppose that Cathy transmits a = fa®h+m (mod q) for i = 1, 2, . . . ,r. 
Betty can then compute (e* - ei) <g> h' 1 (mod q), thereby recovering fa - fa (mod q). 
However, the coefficients of the fas are so small that she recovers exactly fa — fa, and 
from this she will recover exactly many of the coefficients of fa. If r is even of moderate 
size (say 4 or 5). Betty will recover enough of fa to be able to test all possibilities by 
brute force.thereby recovering m. Thus multiple transmission are not advised without 
some further scrambling of the underlying message. We do point out that even if Betty 
decodes a single message in this fashion, this information will not assist her in decoding 
any further messages. 

§3.3 Lattice based attacks. 

We begin with a few words concerning lattice reduction. The goal of lattice reduction 
is to find one or more "small" vectors in a given lattice M. In theory, the smallest 
vector in M can be found by an exhaustive search, but in practice this is not possible 
if the dimension of M is large. The LLL algorithm of Lenstra-Lenstra-Lovasz [8], with 
various improvements due to Schnorr [11, 12) and others, will find small vectors of M in 
polynomial time, but for most lattices of large ( > 100, say) dimension, it will not find 
the smallest vector, and the gap between the smallest LLL-determinable vector and the 
actual smallest vector appears to increase exponentially with the dimension. In order 
to describe the security of NTRU from lattice attacks, we consider the following three 
hypotheses on lattices of large dimension: 

(Hi) For most lattices M, the length <r(M) of the smallest non-zero vector of M 
satisfies 

^/^^Disc^) 1 /^) <a(M) < Disc(A^/^<">. 
Hence if v e M satisfies 

|vj > yi^Di S c(A0 1/dimW \ 

then v will be hidden in a cloud of exponentially many vectors of approximately 
the same length. 
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(H 2 ) Suppose that the lattice M has a vector w which is smaller than the shortest 
expected vector described by (Hi), but that M is otherwise a "random" lattice. 
If w satisfies 



|w| > K- dim <^>y5^M D5sc(jM) l/dim(^) ? 

then lattice reduction is highly unlikely to find w. 
(H 3 ) Suppose we are in the situation of (H 2 ). Then the smallest non-zero vector 
v lll computed by lattice reduction methods is almost certain to satisfy 

|vLwj>K dim(A/l) |w|. 

Remark. The lattice reduction constant k which appears in hypotheses (H 2 ) and (H 3 ) 
must be determined by experimentation and experience. This is similar to the situation 
with the RSA PKCS, where security rests on estimating current capabilities for factoring 
products pq. It is even more closely analogous to the PKCS described in [5], whose 
security is directly linked to the difficulty of finding small (almost orthogonalized) bases for 
lattices. Experiments with lattices of large ( > 100) dimension suggest that one can take 
k = 1.5 1 / 100 . (See, for example, (1 1] and [12].) And just as future advances in factorization 
will require the use of larger primes in the RSA PKCS, so future advances in lattice 
reduction will undoubtedly require using a smaller value of k and correspondingly larger 
parameters in NTRU. We also mention that we will only need to assume hypotheses (H 2 ) 
and (H 3 ) for lattices of dimension greater than 700. For lattices of such high dimension, 
even the LLL algorithm with Schnorr's block reduction improvement takes quite a long 
time. If we are willing to assume hypotheses (H 2 ) and (H 3 ) for lattices of dimension 
around 300, we can choose NTRU parameters with even better operating characteristics. 
§3.3.1 Small lattice attack on the key /. We begin with what is probably the most 
natural lattice, namely we take any one of the fy's and search for the small vector / with 
the property that h { ® f (mod q) is also small. To do this, we write hi = [ha, . . . , h iN ] 
and consider the lattice M generated by the columns of the following matrix: 



M = 



( x 


0 


0 


0 


0 


0 


0 


A 


0 


0 


0 


0 


0 


0 


A 


0 


0 


0 


hn 


h i2 


hiN 


9 


0 


0 


hi2 


h i3 ■ 


• fci 


0 


Q 


0 


K his 


ha ■ 


• • ^i,N-l 


0 


0 


Q 



With an eye towards future notational convenience, we will write this matrix as 

Hi':)- 
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The quantity A will be chosen by the attacker to optimize the attack. We observe that M 
satisfies 

dim(M) = 2N and Disc(M) = X N q N . 
There are two issues to consider. First, is the actual key / embedded in M as a short 
vector. Notice that M contains the target vector 

«targ = [A/W, . . . , A/i, gn, . . . , gut ], 
and knowledge of u targ allows recovery of /. However, we can compute the length of ti targ 



Hypothesis (Hi) says that / is safe from attack if |utar g | 2 satisfies the inequality 

Karg | 2 > y^W) Disc(A1)1/dimW) = 
In other words, we need 



The optimal A from the attacker's viewpoint is A = 1 (see Lemma A.l), since she wants 
to minimize the left-hand side. So we will be safe provided 

A second consideration is whether some other small vector in M might allow the 
attacker to decode the message. Thus any small vector [f',g r ] € M has the property 
that /' and hi® f = g' (mod q) are both small. However, if the attacker computes 

K 

e ® /' = ]Tp<^ © /ij @ /' + m © /' (mod g), 

only the term with j = i will have small coefficients modulo q. Hence an /' which makes 
a single h t small will not act as a decoding key. This suggests that we look at all of 
the hj : s simultaneously, which leads us to the next lattice. 

§3.3.2 Big lattice attack on the key /. Rather than using only one of the Vs, the 
attacker can instead form a lattice using some subset of the Vs. Relabeling, we will 
assume that the attacker uses hi,... ,hk for some 1 < k < K and forms the lattice M 
generated by the columns of the matrix 



/A/ 


0 


0 


0 •• 


• °\ 




ql 


0 


0 •• 


■ 0 


h 


0 


ql 


0 •• 


• 0 


h 


0 


0 


ql ■■ 


• 0 



\h k 0 0 0 



ql) 
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(We are using the abbreviated notation from the previous section.) This lattice satisfies 

dim{M) = (k + 1)N and Disc(A^) = X N q kN . 
It contains the target vector (using the obvious shorthand) 
«targ = [A/,pi,52, - - ,9k]- 

(More precisely, the coordinates of / need to be reversed.) This target vector has length 
l«targ| 2 = sJ\V\l + \9Al + --\9k\l = L g V^Tfc. 

Hypothesis (H 2 ) says that lattice reduction will not be able to find w targ provided that 
its length satisfies 

k arg | 2 > K -^MyJ^M Di8c(M) l/^M) 
= JC -(A=+1)N ^+1)- /V X l/lk+l) q k/(k+^ 
So we will be safe from attack if 

L g ^\2k/(k+l) +kX -2/(k+l) > K -(k+l)N^{k+})^_ q k/(k+l) t 

As before, the attacker will choose A to minimize the left-hand side. Again it turns 
out that A = 1 gives the minimum (See Lemma A.l), so the actual key will be safe under 
Hypothesis (H 2 ) provided 

^"<^L }( |. (6 ) 

§3.3.3 Big lattice attack on a spurious key /. Rather than searching for the true 
key /, the attacker might try to find some other key F which acts as a decoding key. In 
order to be a spurious key, F itself and also each of the products hj ® F (mod q) must 
be small. More precisely, suppose that the attacker finds an F and computes 

Gj = hj®F (mod q) for j = 1,2, . . . ,K. 

We would like to know that the width (L°° norm) of an expression 

<Pi © Gi + fa® G 2 + --+4>k®G k +m®F 

is generally at least Wq for some wrapping factor W. (We will discuss in Section 4 the 
question of how large W must be for for the system to be secure.) 
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In order to try to find a spurious key F, the attacker will take the lattice M described 
in Section 3.3.2 and use lattice reduction techniques to find a small vector vlll- The 
smallest non-zero vector in M is the vector v t arg = [A/, ffi,... ,9k], so Hypothesis (H3) 
says that 

\yLLL\ 2 >^ K+1)N M 2 . 

Writing v LLL = [AF, G\ t G 2 , . . . , G K ], we find that 

\/*\F\1 + \G 1 \1 + -.- + \Gk\1 > k^ n l s ^Tk. 

The vector vlll obtained by lattice reduction will have components whose size is more- 
or-less randomly distributed. In particular, all of the lengths |AF| 2 , |Gi| 2 , . . . , \Gk\ 2 will 
be approximately the same, so we obtain (approximately) 

|AF| a ,|0,| ai ...,|G jr | a >i B f f+l >%. 

On the other hand, we can use this and (3) to estimate 

|0i ® Gi + 4> 2 ® G 2 + ■ ■ ■ + <f>K ® G K + m ® 

> c, (|^| 2 • |Gi| 2 + • ■ • + \4> K \ 2 ■ \G K \ 2 + \m\ 2 ■ \F\ 2 ) 
= c 1 L+{\G l \ 2 + .~ + \G K \ 2 + \F\ 2 ) 
> Ci (^ + 1)I^ 9 k^ +1 ) n . 

So the spurious key will fail with wrapping factor W provided the parameters are chosen 
to satisfy 

Wq <a(K+ l)L <p L g ^ K+l '> N . (7) 
(This may be compared with the decoding inequality (4).) 

§3.3.4 Big lattice attack on an individual message. There is one other sort of 
lattice attack which must be considered. Rather than looking for a key which decodes 
every message, an attacker can construct a lattice to search for an individual message. 
Consider the following lattice, which is similar to the one used in Section 3.3.2. Let M 
be the lattice generated by the columns of the matrix 



/XI 


0 


0 


0 •• 


0 


°\ 


0 


XI 


0 


0 •• 


0 


0 


0 


0 


XI 


0 -■ 


0 


0 


0 


0 


0 


XI 


0 


0 



\phi ph 2 ph 3 ■•■ ph K ql) 
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This lattice satisfies 

dim(Af) = {K + 1)N and Disc(JW) = X KN q N 

and contains (using the obvious notation) the vector 

[A0i , \4> 2 , ■■■ , \4>k, e-m). (8) 

It contains this vector because the encoded message e was constructed according to the 
rule 

P(j>i ® hi + pfa © h 2 + • • • + p<t>K © h K + m = e (mod q). 

Clearly (8) is not likely to be a short vector, since the coefficients of e - m (mod q) 
will not be small. However, the attacker knows the value of e, so she can search for a 
vector in M which is close to the known non-lattice vector [0, 0, . . . , 0, e]. The distance 
from the sought for lattice vector and the known non-lattice vector is the length of the 
vector 

Vtarg = [A<£i, A<£ 2 , • • ■ , A^k, -m]. 

This is an example of an inhomogeneous lattice problem. Inhomogeneous problems tend 
to be somewhat harder than homogeneous problems, but to err on the side of caution, 
we will assume that the attacker can solve inhomogeneous problems to the exact same 
degree she can solve homogeneous problems. So we need to see if the attacker can find a 
vector of length 

Karg| 2 = WtfA2+p2. 

(Remember that |m| 2 = p\<f>\ 2 for every m e £ m and every cf> 6 C+.) According to 
Hypothesis (H 2 ), the attack will fail provided that 

kargl > «-^)y^n^ Disc( ^ )1/dim(M)) 

or in other words, if 



L+y/KWlK+V + p 2 A -2/C/(K + l) > K -(K+W^I E +1 ) N q l/(K+l) 

The attacker will minimize the left-hand side by taking X = p (see Lemma A.l). so the 
attack will fail provided 

This may be compared with (6), which it complements. 
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§3.3.5 Summary of lattice attack parameter constraints. In the preceding parts 
of this section we have described various lattice attacks and devised constraints on the 
parameters which prevent these attacks from succeeding. There remains the question of 
whether there exist any choices of parameters which satisfy all of the constraints. For the 
convenience of the reader, we list here all of the inequalities from this section, together 
with the fundamental inequality (4) which is necessary if the owner of the true key / is 
to be able to decode n 



C2pL a L 4 {K + l)<q. (4) 
ireLl 

^/(fc+i) < K tk+i)N Lg J™ for every l<k<K. (6 fc ) 

Wq < Cl (K + 1)L+L 9 k( k+ » n (7) 

q mK+l) < K (K + l)N L ^ p l /{ K + l) (g) 

We observe that for any fixed values cj, c 2 ,p, > 0 and p, k, W > 1, there always exist 
solutions N, K,L g ,q to these inequalities. We now make a few remarks to assist in finding 
solutions. 

We begin by combining these inequalities in various ways. First combining (4) and (7) 
gives (after some algebra) 

a '^f" 0 do) 

Note we have (essentially) no freedom in choosing cj, C2, and k, and that W will be chosen 
between 5 and 10 depending on the level of security desired. This leaves the choice of p, 
which will normally be fairly small. The point here is that (10) gives a lower bound for 
(K + 1)JV over which we have very little control. 
Next we combine (4) and (5) to get 

c 2 p(K + l)N 

L 9 > L+ (11) 

In order to have some flexibility in the choice of q, it is a good idea to take L g to be 
(say) 1.5 to 2 times larger than this prescribed lower bound. 

For example, if £^ and C g ar e as described in Section 2.2, then L<j, = \p2d and most 
g € C g satisfy \g\ 2 w L g = y/N{r 2 - 1)/12. So after using (11) to choose L g , we 
can take r = [L g y/12/N\, and then most g € C g will have L 2 norm very close to the 
desired L g . Further, since the code creator Dan is the only one who chooses elements 
from C g , and since these choices only need to be made once, it won't be hard for him to 
find the necessary K + 1 polynomials in C g with norm approximately L g \ and even with 
the length restriction, the number of such polynomials in C g is astronomically larger than 
an attacker can check via exhaustive search, since in practice r N tends to be at least 2 500 . 
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§4 Implementation Considerations 
§4.1 Security and Wrapping Factors. Recall that the wrapping factor W controls 
how much wrapping the attacker can expect when she uses a spurious key produced by 
lattice reduction. If W is too small, for example W = 1.5, then the attacker will be able 
to recover many (maybe even most) of the coefficients, because their values tend to cluster 
around the mean. More precisely, the attacker will recover (say) 0.957V linear equations 
for the N unkown coefficients, and then a brute-force search finishes the attack. 

Coppersmith and Shamir [3] have observed that even if W is a bit larger than this, 
say W = 2.5, then the clustering allows the attacker to obtain approximately 0.67A7 
linear equations for the N unknowns. They then observe that if the attacker constructs 
two independent spurious keys and applies them, she might obtain sufficiently many 
independent equations to solve the system. They further note that if W = 4, then using 
several short vectors might allow the attack to succeed by employing some sort of error- 
correcting technique, but that if W is as large as 10, then this sort of attack will not 
succeed. We refer the reader to [3] for details. 

Based on these considerations, we will use a wrapping factor of W = 10 to construct 
sample operating parameters. 

§4.2 Sample Operating Parameters. In this section we will work out two sets of us- 
able parameters for the NTRU PKCS which are secure under the hypotheses of Section 3. 
These parameter sets lead to a fairly high message expansion, so we refer the reader to 
Section 4.3 below for a two-stage version of NTRU which reduces the message expansion 
to a managable 2-to-l. 

We begin with three values forced on us by experimental evidence, and a fourth value 
chosen to ensure sufficient wrapping to foil a spurious key attack: 

c, = 0.08, c 2 = 0.24, W = 10 k — 1.5 1 / 100 « 1.0040628823. 

The values of Cl and c 2 have been determined by extensive numerical testing in the desired 
ranges; but we also have a fairly good idea how to give them a probabilistic justification. 
The wrapping factor W = 10 was discussed above in Section 4.1. Finally, the choice of 
the lattice reduction constant k has already been discussed in the remark in Section 3.3, 
although to guard against future improvements in lattice reduction technology, the se^ 
curity conscious user might instead take « = 1.3 1 ' 100 , with changes in the other 

parameters. 

We consider first the choice p = 2. The inequality (10) from Section 3.3.5 tells us that 
we need to take 

(K + 1)N > 1009.79, 

so we will let 

N = 167 and K = 6. 

(It is convenient, but not necessary, to have N and (N - l)/2 both prime.) This choice 
will provide sufficient leeway for choosing the remaining coefficients. 

We take as in Section 2.2 with d = 20, so #£ 0 = 1671/20! • 20! • 127! » 2 165 - 85 , 
which provides sufficient security against meet-in-the-middle attacks. Further, = 
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\/2d « 6.325, and substituting these choices into (11) gives L g > 414.07. To provide 
some leeway, we take r = 167, which makes the expected value of L g equal to 622.98. 
Finally, our five fundamental inequalities from Section 3.3.5 tell us that q must satisfy 

2 13.6924 < q < max ^ 2 14.2766 j2 14.7278 )2 14.6238 2 52.481 } 

(Of course, the inequality (6fc) in Section 3.3.5 is really 6 inequalities, one for each 1 < 
k < 6.) Thus we can take q = 2 14 - 1 = 16383. (Note that gcd(p, q) = 1 is required.) 
To recapitulate, assuming the hypotheses of Section 3.3, the following parameters give a 
secure NTRU PKCS: 

AT = 167, k = 6, q = 16383 = 2 14 - 1, p = 2, r = 167, d = 20, s = 3, 

where the sets £ ff , C m are chosen as described in Section 2.2. For these parameters 

Public key length = Nk log 2 q = 14028 bits 
Private key length = N\og 2 pr = 1400 bits 
Message expansion = log qj log p = 14-to-l 

Using a similar analysis, we construct a second set of secure NTRU parameters with a 
larger value of p. These parameters seem well suited to current microprocessors, since all 
operations are on numbers smaller than 2 16 , and q is a power of 2, so division by q with 
remainder is a simple shift operation. We take 

N = 167, K = 6, q = 2 16 , p = 3, r = 354, d = 40, s = 7. 

These parameters give = 1671/40! • 40! • 87! w 2 239 3 , and 

Public key length = NK\og 2 q = 16032 bits 
Private key length = JVlog 2 pr = 1678 bits 
Message expansion = log q/ logp = 10.1-to-l 

§4.3 Two-Stage NTRU and Improved Message Expansion. The NTRU PKCS's 
for the sample parameters presented in Section 4.2 have rather large message expansions. 
One method to decrease this expansion is to use a larger value of p, but this leads 
to significantly larger values for (K + l)N, which in turn increases both key sizes and 
decreases computational efficiency. 

Another method to decrease message expansion is to use each NTRU message as a 
sort of one-time-pad to encode the actual message. In this two-stage version of NTRU, 
the encoder Cathy chooses a random polynomial m € C m , while her actual plaintext 
message M is allowed to be any polynomial modulo q. To encode her message, she 
computes the two quantities 

K 

e = ^pfc ®hi +m (mod q) and E = m®hi+M (mod q). 



SUBSTITUTE SHEET (RULE 26) 



WO 98/08323 



43 



PCT/US97/15826 



The encoded message is the pair (e,E). 

The decoding process is similar to before, but with one extra step. Thus the decoder 
Dan follows the procedure described in Section 1.4 to compute the polynomial m. He 
then recovers the message by computing 

E-m®hi (mod q). 

We observe that the plaintext message M has length Nlog 2 q bits, while the encoded 
message (e,E) has length 2AHog 2 q bits, so message expansion is down to 2-to-l. 

We make one further remark. Cathy is using the same polynomial and modulus to 
encode both m and M. We do not believe that this compromises security, but for added 
security she could compute E = m®H+M (mod Q) for a different (public) polynomial H 
and modulus Q. 

§4.4 Theoretical Operating Specifications. In this section we consider the theo- 
retical operating characteristics of the NTRU PKCS. There are four integer parame- 
ters (N,K,p,q), three sets £ 3 ,£^,£ m determined respectively by integers r,d,s as de- 
scribed in Section 2.2, three experimentally determined constants ci , c 2 , k, and a wrapping 
constant W. To ensure security, these parameters must be chosen to satisfy the inequal- 
ities listed in Section 3.3.5. The following table summarizes the NTRU PKCS operating 
characteristics in terms of these parameters. 



Plain Text Block 


N log 2 p bits 


Encoded Text Block 


JVlog 2 g bits 


Encoding Speed* 


0(KN 2 ) operations 


Decoding Speed 


0(N 2 ) operations 


Message Expansion 


logp g-to-1 


Private Key Length 


JVlog 2 pr bits 


Public Key Length 


KNlog 2 q bits 



* Precisely, 4KN 3 additions and KN divisions by q with remainder 

For Two-Stage NTRU as described in Section 4.4, the following items change: 



Plain Text Block 


N log 2 q bits 


Encoded Text Block 


2ATlog 2 gbits 


Message Expansion 2-to-l 



§4.5 Other Implementation Considerations. We briefly mention some additional 

factors which should be considered when implementing NTRU. 

(1) It is important that gcdfa.p) = 1. Although in principle NTRU will work without 
this requirement, in practice having gcd(g,p) > 1 will decrease security. At the ex- 
treme range, if p\q, then (exercise) the encoded message e satisfies e = m (mod p), 
so it is completely insecure. 
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(2) We want most f's to have inverses modulo p and modulo q, since otherwise it will 
be hard to create keys. A first necessary requirement is that gcd(/(l),pg) = 1, 
but if this fails for some chosen /, the code creator can instead use, say, f(X) + 1 
or f{X) - 1. Assuming gcd(/(l),pq) = 1, virtually all / ! s will have the required 
inverses if we take TV to be a prime and require that for each prime P dividing p 
and q, the order of P in (Z/ATZ)* is large, say either N - 1 or (N - l)/2. For 
example, this will certainly be true if (N — l)/2 is itself prime (i.e., A'' is a Sophie 
Germain prime). Examples of such primes include 107 and 167. 

§5 Moderate Security Parameters For NTRU 

There are many situations in the real world where high speed and/or low memory 
requirements are important and a moderate level of security is acceptable. In this context, 
we observe that actual lattice reduction methods [11, 12] are extremely CPU intensive 
and that, in practice, it requires a large expenditure of computer time to perform a lattice 
reduction on a lattice of dimension 200 to 300. Of course, "large" here is a relative term, 
but it would probably not be worthwhile to perform a 300 dimensional lattice reduction 
to steal something worth a fraction of a cent, and it would certainly be very expensive (if 
not completely infeasible) using current methods to perform such a lattice reduction in a 
short period of time (say a few minutes). Thus it is worthwhile creating a set of NTRU 
parameters which can be used in situations where one is willing to allow the possibility 
of large dimensional lattice attacks. 

If we eliminate the parameter constraints coming from lattice attacks, we are left with 
only the decoding constraint 

CapL 9 L+(K + l) <q (4) 

and the condition that the search spaces for /, g, and <j> are large enough to prevent a 
brute-force (or possibly a meet-in-the-middle) attack. For simplicity, we will take K = 1. 
We will take all of f,g,4> to be in the set which is the set of polynomials with d 
coefficients equal to 1, d coefficients equal to -1, and the other N -2d coefficients equal 
to 0. (More precisely, since we need / to be invertible modulo p and q, we will take / to 
have an extra 1 coefficient, but this will have little effect on the subsequent analysis, so 
we will ignore it.) Using c 2 = 0.24 as usual, the decoding constraint becomes simply 

q > 2pd. (4) 

Our other constraint is 

( N \- * ! > 2 2. 

\d; d;N~ 2d) (dl) 2 (N - 2d)\ ~ ' 

where a is the desired security level. We note that for moderate security implementations, 
a security level of around 2 40 will generally suffice, so we will take a «s 40. 

The following table gives some acceptable operating parameters for a moderate security 
implementation of NTRU. In evaluating the security, we note that available lattice attacks 
use a lattice of dimension 2AT. We also note that the listed value of q is the smallest 
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allowed, but that a somewhat larger q satisfying gcd(p, q) = 1 is acceptable. In particular, 
especially fast implementations are available by taking q = 64. 



N 


d 


a 


V 


Q 


107 


9 


41.11 


2 


37 


107 


9 


41.11 


3 


55 


167 


7 


38.98 


2 


29 


167 


7 


38.98 


3 


43 


263 


7 


43.72 


2 


29 


263 


7 


43.72 


3 


43 



Finally, we observe that the key sizes are very small, 

Public Key: N\og 2 {q) bits 
Private Key: 2N log 2 (p) bits 

For example, (N,d,p,q) = (167,7,3,64) gives a system with public and private keys of 
lengths 1002 bits and 530 bits respectively. 

§6 Comparison With Other PKCS's 

There are currently a number of public key cryptosystems in the literature, including 
the system of Rivest, Shamir, and Adelman (RSA [10]) based on the difficulty of factoring, 
the system of McEliece [9] based on error correcting codes, and the recent system of 
Goldreich, Goldwasser, and Halevi (GGH [5]) based on the difficulty of finding short 
almost-orthogonalized bases in a lattice. 

The NTRU system has some features in common with McEliece's system, in that ©- 
multiplication in the ring R can be formulated as multiplication of matrices (of a special 
kind), and then encoding in both systems can be written as a matrix multiplication 
E = AX + Y, where A is the public key. A minor difference between the two systems 
is that for an NTRU encoding, Y is the message and X is a random vector, while the 
McEliece system reverses these assignments. But the real difference is the underlying 
trap-door which allows decoding. For the McEliece system, the matrix A is associated to 
an error correcting (Goppa) code, and decoding works because the random contribution 
is small enough to be "corrected" by the Goppa code. For NTRU, the matrix A is a 
circulant matrix, and decoding depends on the decomposition of A into a product of two 
matrices having a special form, together with a lifting from mod q to mod p. 

As far as we can tell, the NTRU system has little in common with the RSA system. 
Similarly, although the NTRU system must be set up to prevent lattice reduction attacks, 
its underlying decoding method is very different from the GGH system, in which decoding 
is based on knowledge of short lattice bases. In this aspect, GGH actually resembles the 
McEliece system, since in both cases decoding is performed by recognizing and eliminating 
a small random contribution. Contrasting this, NTRU eliminates a much larger random 
contribution via divisibility (i.e., congruence) considerations. 
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The following table compares some of the theoretical operating characteristics of the 
RSA, McEliece, GGH, and NTRU cryptosystems. In each case the number N represents 
a natural security /message length parameter. 





NTRU 


RSA 


McEliece 


GGH 


Encoding Speed 


N 2 


N 2 


N 2 


N 2 


Decoding Speed 


N 2 


N 3 


N 2 


N 2 


Public Key 


N 


N 


N 2 


N 2 


Private Key 


N 


N 


N 2 


N 2 


Message Expansion 


2-1 


1-1 


2-1 


1-1 
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Appendix A. An Elementary Lemma 
The following result is useful for optimizing lattice attacks. 
Lemma A.l. For all A,B,a,0>O with a + 0 = 1, 

inf Ax a + Bx~ 0 = 

z>o a <*(}P ' 

with the infimum occurring at x = /3B/aA. 

Proof. Let f(x) = Ax a + Bx^. Then f'(x) = aAx"- 1 - 0Bx~^ = x^(aAx - 3B) 
So the absolute minimum is at x = (3B/aA. (Note that f(x) - oo as x — 0+ and as 
x ->• oo.) 

References 

1. M Blum, S. Goldwasser, An efficient probabilistic public-key encryption scheme 
which hides all partial information, Advances in Cryptology: Proceedings of CRYP- 
TO 84, Lecture Notes in Computer Science, vol. 196, Springer- Verlag, 1985, pp. 289- 

2. H. Cohen, A course in computational algebraic number theory, Graduate Texts in 
Math., vol. 138, Springer Verlag, Berlin, 1993. 

3. D. Coppersmith, A. Shamir, Lattice attacks on NTRU, Preprint, April 5 1997- 
presented at Eurocrypt 97. 

4. W. Dime, M.E. Hellman, New directions in cryptography, IEEE Trans, on Informa- 
tion Theory 22 ( 1 976) , 644-654. 

5. O. Goldreich, S. Goldwasser, S. Halevi, Public-key cryptosystems from lattice reduc- 
tion problems, MIT - Laboratory for Computer Science preprint, November 1996. 

6. S. Goldwasser and A. Micali, Probabilistic encryption, J. Computer and Systems 
Science 28 (1984), 270-299. 

7. J. Hoffstein, J. Pipher, J.H. Silverman, NTRU: A new high speed public key cryp- 
tosystem, Preprint; presented at the rump session of Crypto 96. 

8. A.K. Lenstra, H.W. Lenstra, L. Lovsz, Factoring polynomials with polynomial coef- 
ficients, Math. Annalen 261 (1982), 515-534. 

9. R.J. McEliece, A public-key cryptosystem based on algebraic coding theory JPL 
Pasadena, DSN Progress Reports 42-44 (1978), 114-116. 

10. R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and 
public key cryptosystems, Communications of the ACM 21 (1978), 120-126. 

11. CP. Schnorr, Block reduced lattice bases and successive minima, Combinatorics 
Probability and Computing 3 (1994), 507-522. 

12. CP. Schnorr, H.H. Hoerner, Attacking the Chor Rivest cryptosystem by improved 
lattice reduction, Proc. EUROCRYPT 1995, Lecture Notes in Computer Science 
921, Springer- Verlag, 1995, pp. 1-12. 

13. D. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, 1995 



SUBSTITUTE SHEET (RULE 25) 



WO 98/08323 



PCT/US97/15826 



48 

CLAIMS : 

1. A method for encoding and decoding a digital message 
m, comprising the steps of: 

selecting ideals p and q of a ring R; 

generating elements f and g of the ring R, and 
generating element F q which is an inverse of f (mod q) , and 
generating element F p which is an inverse of f (mod p) ; 

producing a public key that includes h, where h is 
congruent, mod q, to a product that can be derived using g and 
F q ; 

producing a private key from which f and F p can be 

derived; 

producing an encoded message e by encoding the 
message m using the public key and a random element 0; and 

producing a decoded message by decoding the encoded 
message e using the private key. 

2. The method as defined by claim 1, wherein said ring 
R is a module over a ring Z. 

3. The method as defined by claim 1, wherein the 
dimension of R over Z is N, and where N is an integer greater 
than 1. 

4 . The method as defined by claim 3 , wherein the ring R 
is a ring of polynomials modulo a particular polynomial. 
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5. The method as defined by claim 1, wherein said step 
of generating elements further comprises generating element G q 
which is an inverse of g (mod q) , and generating element G p 
which is an inverse of g (mod p) . 

6. The method as defined by claim 5, wherein said 
element G q is used in the derivation of said public key and 
said element G P is part of said private key. 

7. The method as defined by claim 1, wherein said 
selecting step further includes selecting a positive integer 

K, and wherein said element g comprises respective g it with i = 
1,2, ... ,K, and wherein said public key, h, comprises 
respective h i( with i = 1,2, ... ,K. 

8. The method as defined by claim 7, wherein said 
random element $ comprises respective <p i in the ideal p, with i 
= 1,2,...,K, and wherein said encoded message is produced as 

e = ^2 ^> 1 *h i + m (mod q) . 



9. The method as defined by claim 1, wherein said 
public and private keys each further include p and q. 
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10. The method as defined by claim 1, wherein said 
ideals p and q are generated by relatively prime integers. 

11. The method as defined by claim 10, wherein the 
encoded message is congruent, mod q, to the sum of the message 
m and a product that includes 0 and h. 

12. The method as defined by claim 10, wherein said 
integers p and q are unequal and both p and q are greater than 
1. 

13. The method as defined by claim 1, wherein said 
encoded message is produced by a user at one location, 
transmitted from said one location to another location, and 
decoded by a user at said another location. 

14 . A method for encoding and decoding a digital message 
m, comprising the steps of : 

selecting integers p and q,- 
generating polynomials f and g; 
determining inverses F q and F p , where 

F q *f = 1 (mod q) 

F p *f = 1 (mod p) ; 
producing a public key that includes p, q, h, where 

h 35 F q *g (mod q) ; 
producing a private key that includes f and F p ; 
producing an encoded message e by encoding the 
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message m using the private key and a random element e>; and 

producing a decoded message by decoding the encoded 
message e using the private key. 

15. The method as defined by claim 14, wherein said 
encoded message e is produced as 

e = p0*h+m (mod q) . 

16. The method as defined by claim 15, wherein said 
decoded message is produced by computing 

a = f *e (mod q) , 
and then computing the decoded message, m' , as 
m' s F p *a (mod p) . 

17. The method as defined by claim 14, wherein said step 
of generating polynomials f and g includes selecting a 
positive integer K and generating K polynomials g, as g lt 

92/ ... .9k. and wherein said public key comprises h lt h 2 , . . . ,h K , 
where 

^ = F q *9i (mod q), i = 1,2 K. 

18. The method as defined by claim 17, wherein said 
encoded message e is produced as 

e = po 1 *h 1 +p0 2 *h 2 + . . . +p0 K *h K +m (mod q) 
where a 1 ,0 2 ,...,0 K are K random polynomials. 

19. The method as defined by claim 14, wherein said 
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encoded message is produced by a user at one location, 
transmitted from said one location to another location, and 
decoded by a user at said another location. 

20. The method as defined by claim 14, wherein a monic 
polynomial M(X) is selected and multiplication of polynomials 
is accomplished by first performing ordinary multiplication of 
polynomials and then dividing the result by M(X) and retaining 
only the remainder. 

21. The method as defined by claim 14, wherein a non- 
zero integer N is selected and multiplication of polynomials 
is accomplished by reducing exponents modulo N. 

22. The method as defined by claim 14, wherein said 
polynomials f , g, m and a are constrained to have bounded 
coefficients . 

•23. The method as defined by claim 22, wherein said 
integer q is chosen smaller than a quantity determined by the 
said integer p, the degrees of the said polynomials f, g, m 
and o, and the said constraints on the coefficients of the 
said f, g, m and 0. 

24. The method as defined by claim 22, wherein said 
integer q is chosen larger than a quantity determined by the 
said integer p, the degrees of the said polynomials f, g, m 
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and 0, and the said constraints on the coefficients of the 
said polynomials f, g, m and ts. ^ 

25. A method for encoding and decoding a digital 
message, comprising the steps of: 

selecting relatively prime integers p and q; 
selecting a non-zero integer K; 

producing K+2 matrices, f,g,w lf w 2 , w K from a ring 

of matrices with integer coefficients, with Wi = 0 (mod p) for 

i = 1,2 ,K. 

producing inverse matrices F p , F q , G p and G q , from 
said ring of matrices where 

fF p s I (mod p) 
fF q ■ I (mod q) 
gG p = I (mod p) 
gG q = I (mod q) 
where I is an identity matrix; 

producing a public key as a list of K matrices 
(h lf h 2 , . . .h K ) where 

h t = FqWiG, (mod q) , i = 1,2, ... ,K; 
producing a private key as the matrices (f , g, F , 

G P ) ; 

producing an encoded message e by encoding the 
message m using the private key and random integers 
0 1( 0 2 , . . . ,0 K as 

e = 0jh;+0 2 h 2 +. . . +o K h K +m (mod q) ; and 
producing a decoded message m' by computing 
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a = feg (mod q) 
and 

b = a (mod p) 
and then computing the decoded message m' as 
m' = F p bG p (mod p) . 

26. The method as defined by claim 25, wherein said 
encoded message is produced by a user at one location, 
transmitted from said one location to another location, and 
decoded by a user at said another location. 

27. The method as defined by claim 25, wherein said 
matrices w lt w 2 , . . . ,w K , f, g, and m are constrained to have 
bounded coefficients and the integers 0 X , <a 2 , . . . , e K , are 
constrained to be bounded. 

28. The method as defined by claim 27, wherein said 
integer q is chosen smaller than a quantity determined by said 
integer p, said integer K, the degrees of said polynomials 

Wj, Wj, . . . , w K , f, g, and m, said constraints on the coefficients 
of said polynomials w,,w 3 , . . . ,w K , f, g, and m, and said 
constraints on the integers <a lt e> 2 , . . . ,b k . 

29. The method as defined by claim 27, wherein said 
integer q is chosen larger than a quantity determined by said 
integer p, said integer K, the degrees of said polynomials 

w w Wj, . . . , w K , f, g, and m, said constraints on the coefficients 
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of said polynomials w t ,w 2 , w K/ f, g, and m, and said 

constraints on the integers 0,,<a 2 , . . . ,<a K . 

30. A system for encoding and decoding a digital 
message m, comprising: 

means for selecting ideals p and q; 

means for generating elements f and g of a ring R, 
and generating element F q which is an inverse of f (mod q) , and 
generating element F p which is an inverse of f (mod p) ; 

means for producing a public key that includes h, 
where h is congruent, mod q, to a product that can be derived 
using g and F q ; 

means for producing a private key from which f and F 
can be derived; 

means for producing an encoded message e by encoding 
the message m using the public key and a random element 0; and 

means for producing a decoded message by decoding 
the encoded message e using the private key. 



31. The system as defined by claim 30, wherein said 
encoded message is produced by a user at one location, 
transmitted from said one location to another location, and 
decoded by a user at said another location. 

32. A method of communicating information between users 
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of a communications system, the method comprising the steps 
of: 

generating a ring R, ideals P and Q in R, a set of 
coset representatives C 0 for the ring R modulo the ideal Q, and 
a set of coset representative C P for the ring R modulo the 
ideal P; 

generating at least one public key element h, f ...,h k 
in the ring R as a function of at least two private key 
elements /,,.../„ in R and the ideal Q of the first user; and 

transmitting from a first user to a second user a 
description of the ring R, the ideal Q, the ideal P, and the 
elements h lr . . . ,h k in R; 

generating an element e in R as a function of the 
ideals P and Q, the public key elements h 1( ...,h k , a private 
message element m in R, and at least one private random 
element a x ,...,<s, of the second user; and 

transmitting the element e from the second user to 
the first user, such that the first user can determine the 
message element m by computing the result A in R of evaluating 
the function F of e , f lt . . . , f n , computing the coset 
representative a of A in the set of coset representatives C 0 , 
computing the result B of evaluating the function G of 
a,/ ir ...,/„, computing the coset representative b of B in the 
set of coset representatives C P , and computing the result c in 
the set of coset representatives C P of evaluating the function 
H of b,/ 1( . . . ,/„. 
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33. The method of claim 32, wherein the message element 
m satisfies the condition that m is an element of C p . 

34. The method of claim 32, wherein the first user 
determines the message element m by computing a function of 
a,b,c,/ lf . . . ,/„. 

35. The method of claim 32, wherein the public key 
elements h lt . . . ,\ satisfy the condition that the element f i is 
congruent in R to the product hj^i modulo the ideal Q for each 
i between 1 and k. 

36. The method of claim 32, wherein the private key 
elements f 1 ,...,f^ 1 satisfy the condition that the elements 
/j, ...,/ k are in the ideal P. 

37. The method of claim 32, wherein the private random 
elements 0 lf ...c3, are in the ideal P. 



38. The method of claim 32, wherein the element e 
generated as a function of the public key elements h, , . . .h k , 
the private random elements e lf ...,0 ktl , and the private message 
element m is generated as an element of C 0 which is congruent 
to 0 1 h 1 +0 2 h 2 +. . . +0 lc h k +0 k +m modulo the ideal Q. 

39. The method of claim 32, wherein the result A of 
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evaluating the function F of e, /„.,./„ is the product e/ ktl . 

40. The method of claim 32, wherein the result B of 
evaluating the function G of a,/,,.../, is the element a. 

41. The method of claim 32, wherein the result c in the 
set of coset representatives C p of evaluating the function H of 
a»/i/---/„ satisfies the condition cf Xtl is congruent to b 
modulo the ideal P. 

42. The method of claim 32, wherein the result c is 
equal to the coset representatives of the message m in the set 
of coset representatives C p . 

43. The method of claim 32, wherein the ring R is a ring 
of polynomials in one variable X modulo the ideal of R 
generated by a monic polynomial M(X) of degree N, wherein the 
ideal Q of R is the ideal generated by an integer q, the ideal 
P of R is the ideal generated by an integer p, the set of 
coset representatives C 0 is the set of polynomials of degree at 
most N-l in R with coefficients in a fixed set of coset 
representatives modulo q, and wherein the set of coset 
representatives C P is the set of polynomials of degree at most 
N-l in R with coefficients in a fixed set of coset 
representatives modulo p. 

44. The method of claim 43, wherein the private key 
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elements f lr ...f n , the private message element m in R, and the 

private random elements ^ a, satisfy conditions that 

include bounds on their coefficients. 

45. The method of claim 32, wherein the ring R is non- 
commutative. 

46. The method of claim 32, wherein the elements h,,...h k 
are generated in C 0 according to the condition that the element 

is congruent in R to f i modulo the ideal Q for each i 
between 1 and k. 

47. The method of claim 32, wherein the private key 
elements /,,...,/„ are in the ideal P. 

48. The method of claim 32, wherein the private random 
elements 0 lf . . . ,a 2ktl satisfy the condition that the elements 
0 1# ...,0 k are in the ideal P. 

49. The method of claim 45, wherein the element e 
generated as a function of the public key elements h lt . . .h k , 
the private random elements a x , . . . ,o 2k+1 , and the private 
message element m is generated as an element of C 0 which is 
congruent to a^, + e> 2 h 2 0 k , 2 + . . . +0 k h k 0 2k +0 2ktl + m modulo the 
ideal Q. 

50. The method of claim 32, wherein the ring R is a ring 
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of matrices with integer coefficients, the ideal Q of R is the 
ideal consisting of all matrices divisible by a fixed integer 
q, the ideal P of R is the ideal consisting of all matrices 
divisible by a fixed integer p, that the set of coset 
representatives C 0 is the set of elements of R with 
coefficients in a fixed set of coset representatives modulo q, 
and that the set of coset representatives C p is the set of 
elements of R with coefficients in a fixed set of coset 
representatives modulo p. 

51. The method of claim 50, wherein the private key 
elements / 1( ...,/ n , the private message element m, and the 
private random elements a lf . . . ,a t satisfy conditions that 
include bounds on their coefficients. 

52. The method of claim 50, wherein the private random 
elements e> 1# . . . , a, satisfy the condition that a> 1 , . . . , 0 ( are 
constant multiples of the identity matrix. 

53. The method of claim 32, wherein the ring R is a 
group ring of a group G, the ideal Q of R is the ideal 
generated by an integer q, the ideal P of R is the ideal 
generated by an integer p, the set of coset representatives C Q 
is the set of elements of R with coefficients in a fixed set 
of coset representatives modulo q, and that the set of coset 
representatives C p is the set of elements of R with 
coefficients in a fixed set of coset representatives modulo p. 
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54. The method of claim 53, wherein the private key- 
elements f lr ...,f n , the private message element m, and the 
private random elements <z lt ...,0 t satisfy conditions that 
include bounds on their coefficients. 

55. The method of claim 32, wherein the ring R is a non- 
commutative ring of polynomials in two variables X and Y 
subject to the dihedral relations X N = l, y 2 = l, and XY = YX N ' 
\ the ideal Q of R is the ideal generated by an integer q, the 
ideal P of R is the ideal generated by an integer p, the set 
of coset representatives C Q is the set of polynomials in R of 
degree at most N - 1 in the variable X with coefficients 
chosen from a set of coset representatives modulo q, and 
wherein the set of coset representatives C p is the set of 
polynomials in R of degree at most N - l in the variable X 
with coefficients chosen from a fixed set of coset 
representatives modulo p. 

56. The method of claim 55, wherein the private key 
elements f x ,...,f a , the private message element m, and the 
private random elements B,,... ( e, satisfy conditions that 
include the condition that some of them lie in the commutative 
subring R 0 of R consisting of all elements $ of R which satisfy 
the condition Y\p = \}/Y . 
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